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Abstract. Game semantics is a trace-like denotational semantics for 
programming languages where the notion of legal observable behaviour 
of a term is defined combinatorially, by means of rules of a game between 
the term (the Proponent) and its context (the Opponent) . In general, the 
richer the computational features a language has the less constrained the 
rules of the semantic game. In this paper we consider the consequences 
of taking this relaxation of rules to the limit, by granting the Opponent 
omnipotence, that is, permission to play any move without combinatorial 
restrictions. However, we impose an epistemic restriction by not granting 
Opponent omniscience, so that Proponent can have undisclosed secret 
moves. We introduce a basic C-like programming language and we define 
such a semantic model for it. We argue that the resulting semantics is an 
appealingly simple combination of operational and game semantics and 
we show how certain traces explain system-level attacks, i.e. plausible 
attacks that are realisable outside of the programming language itself. 
We also show how allowing Proponent to have secrets ensures that some 
desirable equivalences in the programming language are preserved. 



1 Introduction 

Game semantics came to prominence by solving the long-standing open problem 
of full abstraction for PCF |H6j and it consolidated its status as a successful 
approach to modelling programming languages by being used in the definition 
of numerous other fully abstract programming language models. The approach 
of game semantics is to model computation as a formal interaction, called a 
game, between a term and its context. Thus, a semantic game features two 
players: a Proponent, representing the term, and an Opponent (O), representing 
the context. The interaction is formally described by sequences of game moves, 
called plays, and a term is modelled by a corresponding strategy, that is, the set 
of all its possible plays. To define a game semantics one needs to define what are 
the rules of the game and what are the abilities of the players. 

For PCF games, the rules are particularly neat, corresponding to the so- 
called "principles of polite conversation" : moves are divided into questions and 
answers; players must take turns; no question can be asked unless it is made 
possible {enabled) by an earlier relevant question; no answer can be given unless 
it is to the most recent unanswered question. The legality constraints for plays 
can be imposed as combinatorial conditions on sequences of moves. 



Strategies also have combinatorial conditions which characterise the players 
rather than the game. They are uniformity conditions which stipulate that if in 
certain plays P makes a certain move, in other plays it will make an analogous 
move. The simplest condition is determinism, which stipulates that in any strat- 
egy if two plays are equal up to a certain P move, their subsequent P moves must 
also be the same. Relaxing some of the combinatorial constraints on plays and 
strategies elegantly leads from models of PCF to models of more expressive pro- 
gramming languages. For example, relaxing a condition called innocence leads 
to models of programming language with state [2], relaxing bracketing leads to 
models of programming languages with control [9], and in the absence of alter- 
nation we obtain languages for concurrency [5]. 

Contribution. In this paper we consider the natural question of what happens if 
in a game semantics we remove combinatorial constraints from O's behaviour. 
Unlike conventional game models, our construction is asymmetric: P behaves 
in a way determined by the programming language and its inherent limitations, 
whereas O may represent plausible behaviour which is, however, not syntactically 
realizable neither in the language nor in some in obvious extensions. In this paper 
we will see that such a model is, in a technical sense, well formed and that the 
notion of equivalence it induces is interesting and useful. 

We study such a relaxed game model using an idealized type-free C-like lan- 
guage. The notion of available move is modelled using a notion of secret similar 
to that used in models of security protocols, formally represented using names. 
This leads to a notion of Opponent which is omnipotent but not omniscient: it 
can make any available move in any order, but some moves can be hidden from 
it. This is akin to Dolcv-Yao attacker model of security. 

We show how inequivalences in this semantic model capture system-level at- 
tacks, i.e. behaviours of the ambient system which, although not realizable in 
the language itself, can be nevertheless enacted by a powerful enough system. 
Despite the existence of such a powerful ambient system we note that many 
interesting equivalences still hold. This provides evidence that questions of se- 
mantic equivalence can be formulated outside the conventional framework of a 
syntactic context. 

Technically, the model is expressed in an operationalised version of game 
semantics like Laird's [TT] and names are handled using nominal sets [4|. 

2 A system-level semantics 

2.1 Syntax and operational semantics 

We introduce a simple untyped C-like language which is just expressive enough 
to illustrate the basic concepts. A program is a list of modules, corresponding 
roughly to files in C. A module is a list of function or variable declarations. An 
exported variable or function name is globally visible, otherwise its scope is the 



module. In extended BNF-like notation we write: 

Prog ::= Mod* Mod ::= Hdr Mod Hdr ::= export x; import x; 
Del ::= deel x = n; Del | deel Func; Del \ e 

The header Hdr is a list of names exported and imported by the program, with 
x an identifier (or list of identifiers x) taken from an infinite set A/" of names, 
and neZ. 

As in C, functions are available only in global scope and in uncurried form: 

Func ::~ x(a;){local x; Stra return Exp; } 

A function has a name and a list of arguments. In the body of the function 
we have a list of local variable declarations followed by a list of statements 
terminated by a return statement. Statements and expressions are (with n G Z). 

Stm ::= e | if (Exp)then{Stm}else{Stm}; Stm \ Exp—Exp; Stra \ Exp{Exp*); Stra 
Exp ::= Exp -k Exp \ *Exp \ Exp(Exp*) | new() | n 

Statements are branching, assignment and function call. For simplicity, iteration 
is not included as we allow recursive calls. Expressions are arithmetic and logical 
operators, variable dereferencing (*), variable allocation and integer constants. 
Function call can be either an expression or a statement. Because the language 
is type-free the distinction between statement and expression is arbitrary and 
only used for convenience. 

If deel f(x){e} is a declaration in module M we define / @M = e\x], inter- 
preted as "the definition of / in M is e, with arguments x." 

A frame is given by the grammar below, with op G {=, *, ;}, op' G {*,—}. 

t ::= if (□) then {e} else {e} | □ op e \ v op □ | op 1 □ | □ e | v □ | (□, e) | {v,D) 

We denote the "hole" of the frame by □. We denote by Fs the set of lists of 
frames, the frame stacks. By v we denote values, defined below. 

Our semantic setting is that of nominal sets [4], constructed over the multi- 
sorted set of names Af = A/a l±l ATq W Af K where each of the three components 
is a countably infinite set of location names, function names and function con- 
tinuation names respectively. We range over names by a, b, etc. Specifically for 
function names we may use /, etc.; and for continuation names k, etc. For each 
set of names X we write \{X), 4>(X) and n(X) for its restriction to location, 
function and continuation names respectively. We write v{x) for the support of 
x, for any element x of a nominal set X , i.e. all the free names occurring in it. 

A store is defined as a pair of partial functions with finite domain: 

s G Sto = {N x ^fn (Z + A/a + A^)) x (M K Fs x N K ) 

The first component of the store assigns integer values (data), other locations 
(pointers) or function names (pointer to functions) to locations. The second 
stores continuations, used by the system to resume a suspended function call. 



We write A(s), k(s) for the two projections of a store s. By abuse of notation, 
we may write s(a) instead of A(s)(a) or n(s)(a). Since names are sorted, this is 
unambiguous. The support u(s) of s is the set of names appearing in its domain 
or value set. For all stores s, s' and set of names X ', we use the notations: 

restrict-to: only consider the subset of a store defined at a given set of names, 

s \ X = {(a,y) e s | a € X} 
restrict-from: only consider the subset of a store that is not defined at a given 

set of names, s\X = s \ (dom(s) \ X) 
update: change the values in a store, s[a i— ► x] = {(a, x)} U (s \ {a}) and, more 

generally, s[s'] = s' U (s \ dom(s')) 
valid extension: s C s' if dom(s) C dom(s') 

closure: Cl(s, X) is the least set of names containing X and all names reachable 
from X through s in a transitively closed manner, i.e. X C Cl(s,X) and if 
(a, y) g s with a £ C7(s, A') then v(y) e C7(s, A). 

We give a semantics for the language using a frame-stack abstract machine. It 
is convenient to take identifiers to be names, as it gives a simple way to handle 
pointers to functions in a way much like that of the C language. We define a value 
to be a name, an integer, or a tuple of values: v ::= () | a \ n \ (v,v). The value 
() is the unit for the tuple operation. Tupling is associative and for simplicity 
we identify tuples up to associative isomorphism, so (v,(v,v)) = ((v,v),v) = 
(v 7 v 7 v) and (v, ()) = v, etc. If a term is not a value we write it as e. 
The Program configurations of the abstract machine are 

(N | Ph s,t,e,k) eJV x AT x Sto x Js x Exp x Af K 

N is a set of used names; P C N is the set of public names; s is the program state; 
t is a list of frames called the frame stack; e is the (closed) expression, being 
evaluated; and k is a continuation name, which for now will stay unchanged. 
The transitions of the abstract machine 

(N \Ph s,t, e, k) — > (N' | P' h s', t', e', k) 

are defined by case analysis on the structure of e then t in a standard fashion, 
as in Fig. [T] Branching is as in C, identifying non-zero values with true and zero 
with false. Binary operators are evaluated left-to- right, also as in C. Arithmetic 
and logic operators (★) have the obvious evaluation. Dereferencing is given the 
usual evaluation, with a note that in order for the rule to apply it is implied that 
v is a location and s(v) is defined. Local-variable allocation extends the domain 
of s with a fresh secret name. Local variables are created fresh, locally for the 
scope of a function body. The new() operator allocates a secret and fresh location 
name, initialises it to zero and returns its location. The return statement is used 
as a syntactic marker for an end of function but it has no semantic role. 

Structural rules, such as function application and tuples are as usual in call- 
by-value languages, i.e. left-to-right. Function call also has a standard evaluation. 
The body of the function replaces the function call and its formal arguments x 
are substituted by the tuple of arguments v' in point-wise fashion. Finally, non- 
canonical forms also have standard left-to-right evaluations. 



Case e = v is a value. 



(JV | P h a, to (if (□) then {ei} else {e 2 }),v,k) — ► (JV \ P h s,t,ei,k), if « £ Z \ {0} 

(JV I P h s,t o (if (□) then {ei} else {e 2 }),i>,fc) — 5- (JV \ P h s,t,e 2 ,k), if « = 

(JV | P h s,t o (□ op e),v,k) — > (N \ P h s,t o (v op D),e,k) for op G {=,*, ; } 

(JV | Ph s, to (v*0),v', Jfe) — ► (JV | Ph s,t,u",fc>, and v" = i>W 

(JV | P h s, t o (v; □),«', fe> — ► (JV | Phs,(,«', fc> 

(JV | Ph s,t o (a = D),v,k) — > (JV | P h s[a h> w],t, (),fc) 

(JV | Ph s, to (*□),«, k) — > (JV | Ph s,t,s(v),k) 

(JV | P h s,t o (D;e), local z,fc) — > (JV U {a} \ P h s[a M> 0], t, e[a/a;], fc), if a <=L JV 
(JV | P h s,to (□(e)),u,fc) — >• (JV | P h s, to («(□)), e,fc) 
(JV | P h s,t o ((D,e)),v,k) — > (N | P h s,to ((«,□)), e, fc) 
(JV | P h s, to ((«,□)),«',&) — )■ (JV | P h s,t, («,«'), k) 

(JV | Ph s,to (/(□)), v',k) — > (JV | P h s,t,e[w7^],fc>, if f@M = e[x] (F) 
Case e is not a canonical form. 

(JV | P h s,t, if (e) then {ei} else {e 2 }, fe) — >■ (JV | P h s, t o (if (□) then {ei} else {e 2 }), e, fc) 

(JV | P h s,t,e op e', k) — > (JV | P h s,t o (□ op e'),e, fc),if op e {=,*, ; } 

(JV | P h s,t,op e,k) — > (JV | P h s,to (op □),e,fc>,if op G {return(-), *} 

(JV | P h s,t,new(),fc> — > (JV U {a} | P h s[a i-> 0], t, a, fc), if a G A/a \ JV 

(JV | Ph s,t,e(e'),fc) — ► (JV | P h s,to(D(e')),e,fe> 

(JV | Ph s,t,(e,e'),k) — > (JV | P h s, t o ((□, e')), e, fc> 

Fig. 1. Operational semantics 



2.2 System semantics 



The conventional function-call rule (|F]) is only applicable if there is a function 
definition in the module. If the name used for the call is not the name of a 
known function then the normal operational semantics rules no longer apply. 
We let function calls and returns, when the function is not locally defined, be 
a mechanism for interaction between the program and the ambient system. A 
System configuration is a triple ((JV | P h s)) eJVxjVx Sto. 

Given a module M we will write as [A/] a transition system defining its 
system-level semantics (SLS). Its states are <S[M] = S'j/sJM] U Prog\M\, where 
Prog\AI~\ is the set of abstract-machine configurations of the previous section 
and Sys\M\ is the set of system configurations defined above. The SLS is defined 
at the level of modules, that is programs with missing functions, similarly to what 
is usually deemed a compilation unit in most programming languages. 

Let Cps — Csp = {call/, u, fc | / e A/a, k <E Af K , v a value} U {retu, k 
k G Af K , v a value}. The transition relation is of the form: 



S [MJ C {ProglM\ x Prog{M\) U {Prog{M\ x C PS x Sto x SysfM}) 

U (Sys{Mj x C S p x Sto x ProglMf) 



In transferring control between Program and System the continuation point- 
ers ensure that upon return the right execution context can be recovered. We 
impose several hygiene conditions on how continuations are used, as follows. We 
distinguish between P-continuation names and S-continuation names. The for- 
mer are created by the Program and stored for subsequent use, when a function 
returns. The latter are created by the System and are not stored. The reason 
for this distinction is both technical and intuitive. Technically it will simplify 
proving that composition is well-defined. Intuitively, mixing S and P continua- 
tions does not create any interesting behaviour. If S gives P a continuation it 
does not know then P can only crash. It is not interesting for S to make P crash, 
because S can crash directly if so it chooses. So this is only meant to remove 
trivial behaviour. 

The first new rule, called program-to-system call is: 

Program-to-System call: 
(N PV- s, to (/(□)), v,k) call/, '" ,fc '> ((Nu{k'} | P'u{k'} h s[k' h> (t,k)}}) 

s\\(P>) 

if / @ M not defined, k' £ N, P' = Cl(s, P U v(v)). 

When a non-local function is called, control is transferred to the system. In game 
semantics this corresponds to a Proponent question, and is an observable action. 
Following it, all the names that can be transitively reached from public names 
in the store also become public, so it gives both control and information to the 
System. Its observability is marked by a label on the transition arrow, which 
includes: a tag call, indicating that a function is called, the name of the func- 
tion (/), its arguments (v) and a fresh continuation (£;'), which stores the code 
pointer; the transition also marks that part of the store which is observable 
because it uses publicly known names. 

The counterpart rule is the system-to-program return, corresponding to a 
return from a non-local function. 

Sy stem-to- Program return: 

((N | Phs)) retv ' k ') (N U v(v, s') | PU !/(«,«') h s[s'],f,v,k) 

s' 

if s (k') = (f, k), v(v, s') DNCP, A(i/(¥)) C !/(«'), s \ A(P) E s', k(s') = 0. 

This is akin to the game-semantic Opponent answer. Operationally it corre- 
sponds to S returning from a function. Note here that the only constraints on 
what S can do in this situation arc epistemic, i.e. determined by what it knows: 



1. it can return with any value v so long as it only contains public names or 
fresh names (but not private ones); 

2. it can update any public location with any value; 

3. it can return to any (public) continuation k' . 

However, the part of the store which is private (i.e. with domain in N\P) cannot 
be modified by S. So S has no restrictions over what it can do with known names 
and to known names, but it cannot guess private names. Therefore it cannot do 
anything with or to names it does not know. The restriction on the continuation 
are just hygienic, as explained earlier. 

There are two converse transfer rules corresponding to the program returning 
and the system initiating a function call: 

Sy stem-to- Program call: 

({N \P\-s)} call/ -"'S (NU{k}Uu(v,s') | P U {k} U v(v,s') h s[s'}, /(□), v, k) 

if /@M defined, k <£ dom(s), v(f, v, s') n N C P,\(v(v)) C v(s'),s \ A(P) E 
s',k(s')=0. 

Program-to- System return: 

(N | Ph s,-,v,k) ret "' fc > ((TV | P' h s)), where P' = CI(s,PUp(v)). 

s \\(P' ) 

In the case of the S-P call it is S which calls a publicly-named function from the 
module. As in the case of the return, the only constraint is that the function 
/, arguments v and the state update s' only involve public or fresh names. The 
hygiene conditions on the continuations impose that no continuation names are 
stored, for reasons already explained. Finally, the P-S return represents the ac- 
tion of the program yielding a final result to the system following a function call. 
The names used in constructing the return value are disclosed and the public 
part of the store is observed. In analogy with game semantics the function return 
is a Proponent answer while the system call is an Opponent guestion. 

The initial configuration of the SLS for module M is S®j = ((N | P h sq)). 
It contains a store sq where all variables are initialised to the value specified 
in the declaration. The set N of names contains all the exported and imported 
names, all declared variables and functions. The set P contains all exported and 
imported names. 

3 Compositionality 

The SLS of a module M gives us an interpretation [A/] which is modular and 
effective (i.e. it can be executed) so no consideration of the context is required in 
formulating properties of modules based on their SLS. Technically, we can reason 
about SLS using standard tools for transition systems such as trace equivalence, 
bisimulation or Hcnnessy-Milncr logic. 



We first show that the SLS is consistent by proving a compositionality prop- 
erty. SLS interpretations of modules can be composed semantically in a way that 
is consistent with syntactic composition. Syntactic composition for modules is 
concatenation with renaming of un-exported function and variable names to pre- 
vent clashes, which we will denote by using — • — . We call this the principle of 
functional composition. 

In this section we show that we can define a semantic SLS composition ® so 
that, for an appropriate notion of bisimulation in the presence of bound names 
and T-transitions: 

Functional composition. For any modules M, M'\ \M ■ M'\ ~ [A7] (g) \M'\. 



Let V range over program configurations, and fi over system configurations. 
We define semantic composition of modules inductively as in Fig. [2] (all rules have 
symmetric, omitted counterparts). We use an extra component 77 containing 
those names which have been communicated between either module and the 
outside system, and we use an auxiliary store s containing values of locations 
only. Continuation names in each II are assigned Program/System polarities, 
thus specifying whether a continuation name was introduced by either of the 
modules or from the outside system. We write k € Up when k £ II has Program 
polarity, and dually for k £ lis- We also use the following notations for updates, 
where we write Pr for the set of private names f (B, fi') \ 77. 

{n,s ) p [v,k,s} = (n',s'[s\) where 77' = Cl(s'[s], v(v) U 71) U {k} and k E 77p 
(77, s') s [v, k, s] = (77', s'[s}) where 77' = 77 U v(v, s \ TV) U {k} and k e II' S 

and (s' f 77) C s, s' \ 77 C s, v(v' , s \Pr)f\Pr = % 

The same notations are used when no continuation name k is included in the 
update. Private calls and returns are assigned T-labels, thus specifying the fact 
that they are internal transitions. 

The semantic composition of modules M and M' is given by [M] ® \M'\ = 
[M]^ Us ° \M'l where s is the store assigning initial values to all initial public 
locations of [M], and similarly for s' Q , and 77o contains all exported and imported 
names. The rules of Fig. [5] feature side-conditions regarding name-privacy. These 
stem from nominal game semantics [lOj and they guarantee that the names 
introduced (freshly) by M and M' do not overlap and that the names introduced 
by the system in the composite module do not overlap with any of the names 
introduced by M or A7'. The former condition is necessary for correctness. The 
latter is typically needed for associativity. 

Let us call the four participants in the composite SLS Program A, System A, 
Program B, System B. Whenever we use X, Y as Program or System names they 
can be either A or B, but different. Whenever we say Agent we mean Program 
or System. System X and Program X form Entity X. A state of the composite 
system is a pair (Agent X, Agent Y) noting that they cannot be both Programs. 
The composite transition rules reflect the following intuitions: 



1. Internal move: V =g g — D i/(fi) C v{V) 

v call/.t,,^ fi/ fi call/^ p/ 

2. Cross-call: f f fc g ^ 



V ® s n 8 A 8' (g>^ W 7" 

3. Cross-return 



V 8' 8 7" 



call j>,fc , callj^fc , 
' > " " r ^ I /TT> "\ (TJ >\P\ 1 1 

4. Program call: s f ( n > s ) = W s ) K fc > S J 

P^B call/ ^> fi'<,fi fc ^( fi ) 

V ^4 8' 8 ^4 V 

5. Program return: f f ( 7J / j s //) = ^ S /)P[^ s ] 

P ®< 8 8' ®£ 8 



6. System call: f (II' ,s") = (II,s'f[v,k,s\ 



fi<8' callf ' v ' k ) r®s"& ktv(&')\n 8 

11 s \n> 11 



g ret 

7. System return: f (II' , s") = (II, s') s [v, 



s\it 



Fig. 2. Rules for semantic composition 



— Rule [TJ If Program X makes an internal (operational) transition System Y 
is not affected. 

— Rules [2j[3] If Program X makes a system transition to System X and System 
Y can match the transition going to Program Y then the composite system 
makes an internal transition. This is the most important rule and it is akin 
to game semantic composition via "synchronisation and hiding" . It signifies 
M making a call (or return) to (from) a function present in M' . 

— Rules HUH If Program X makes a system transition that cannot be matched 
by Entity Y then it is a system transition in the composite system, a non- 
local call or return. 

— Rules EE From a composite system configuration (both entities are in a 
system configuration) either Program X or Program Y can become active 
via a call or return from the system. 

Lemma 1. LetX\® s n Xi be a state in the transition graph of ' [M] ® [M'J that is 
reachable from the initial state. Then, if each includes the triple (Ni, Pi, Si), 
the following conditions hold. 



— (JVi\Pi)nJV 2 = iVin(7v 2 \p 2 ) = 0, Pi\77 = p 2 \n, n c u(s)uk(p 1 up 2 ) c 

Pi U P 2 and z/(dom(s)) = A(P X U P 2 ). 

— dom(«;(si)) n dom(«(s 2 )) = 0, (dom(«;(si)) U dom(/t(s 2 ))) n lis = o-nd 

k(Pi n p 2 ) \ n s = k(p u p 2 ) \ n. 

— If both X\ , X 2 are system configurations and X\ ® s n X 2 is preceded by a state 
of the form V ® s n , 13 then s \ P\ C s\ and s f (P 2 \ Pi) £ s 2 , and dually if 
preceded by Q® s n ,P . Thus, in both cases, s \ (Pj\(PinP 2 )) C Sj fori = 1,2. 

— Not both X\,X 2 are program configurations. If Xi is a program configuration 
thens r(P 3 -i\P) Cs 3 -i- 

Semantic composition introduces a notion of private names: internal contin- 
uation names passed around between the two modules in order to synchronise 
their mutual function calls. As the previous lemma shows, these names remain 
private throughout the computation. Therefore, in checking bisimilarity for such 
reduction systems, special care has to be taken for these private names so that 
external system transitions capturing them do not affect these checks. This is 
standard procedure in calculi with name-binding. 

We define the following translation R from reachable composite states of 
[M] <g> [M'l to states of \M • M'J. 

((m I Pi h si)) ® s n ((N 2 I P 2 h s 2 )) .— > (((m L)N 2 )\K \ III- (h[s'} U s 2 [s']) \ K)) 
((m I P h si)) ®' n (N 2 \P 2 \-s 2 ,t, v, k) .— > ((m U 7V 2 ) \ K I n h si [s 2 ] \ K, t', v, k') 
(m I P h si,t, v, k) ® s n am | P 2 h «a» •— > ((JVi UiV 2 )\if|J7h s 2 [si] \ if, i', v, fc') 

where K = K(P 1 nP 2 )\P s , s' = sf (PinP 2 ), s 4 = s 4 [fc t-> ( Sl , s 2 ) K (s t (n))} for all 
fc e dom(/«(sj)), and (t',k') = (si,s 2 )K(t,k). The function (si,s 2 )k fetches the 
full external frame stack and the external continuation searching back from (t, k), 
that is, (si, s 2 )k (t, k) = (t,k) if k £ K, otherwise if k £ K and Sj(fc) = (t',k') 
then (si, s 2 )if (i' o i, fc'). 

The translation merges names from the component configurations and deletes 
the names in K: these private names do not appear in \M ■ M'J, as there the 
corresponding function calls happen without using the call-return mechanism. 
It also sets H as the set of public names. Moreover, the total store is computed 
as follows. In system configurations we just take the union of the component 
stores and update them with the values of s, which contains the current values 
of all common public names. In program configurations we use the fact that the 
P-component contains more recent values than those of the S-component. 

Proposition 2. For R defined as above and X\® s n X 2 a reachable configuration, 

1. ifX 1 ®j 1 X 2 ^ X[® s nX 2 then i?(Xi®f 7 X 2 ) = i?(X(®^X 2 ), 

2. ifX 1 ®j I X 2 -> X[®jjX 2 then R{X 1 ® s n X 2 ) -> RiX'^X^), 

3. if R(Xt ® s n X 2 ) -*Y and X\ ® s n X 2 then X\ ® s n X 2 -> X[ ® s n X' 2 with 
Y = R(X{ <s' n X' 2 ), 

I ifX x ® s n X 2 A X[ ®^, X' 2 then R(Xt ® s n X 2 ) A R(X[ <g>^', X' 2 ), 

s' s' 

5. if R(Xi ® s n X 2 ) A Y, X x ® s n X 2 and v(a) n K = then X x ® s n X 2 A 

s' s' 

X[ ® s n, X' 2 with Y = R(X[ ®^, X' 2 ), 



where K is obtained from X\ ® s n X2 as above. 

With bisimilarity between semantic and syntactic composites defined as above, 
functional composition follows immediately as a consequence. 

4 Reasoning about SLS 

The epistemically-constrained system-level semantics gives a security-flavoured 
semantics for the programming language which is reflected by its logical prop- 
erties and by the notion of equivalence it gives rise to. 

We will see that certain properties of traces in the SLS of a module correspond 
to "secrecy violations" , i.e. undesirable disclosures of names that are meant to 
stay secret. In such traces it is reasonable to refer to the System as an attacker 
and consider its actions an attack. We will see that although the attack cannot 
be realised within the given language it can be enacted in a realistic system by 
system-level actions. 

We will also see that certain equivalences that are known to hold in con- 
ventional semantics still hold in a system-level model. This means that even in 
the presence of an omnipotent attacker, unconstrained by a prescribed set of 
language constructs, the epistemic restrictions can prevent certain observations, 
not only by the programming context but by any ambient computational system. 
This is a very powerful notion of equivalence which embodies tamper-resistance 
for a module. 

Note. We chose these examples to illustrate the conceptual interest of the SLS- 
induced properties rather than as an illustration of the mathematical power of 
SLS-based reasoning techniques. For this reason, we chose examples which are 
as simple and clear as possible. 

4.1 A system-level attack: violating secrecy 

This example is inspired by a flawed security protocol which is informally de- 
scribed as follows. 

Consider a secret, a locally generated key and an item of data read from the 
environment. If the local key and the input data are equal then output the 
secret, otherwise output the local key. 

In a conventional process-calculus syntax the protocol can be written as 

v svk An (a). \f k=a then out(s) elseout(fc). 

It is true that the secret s is not leaked because the local k cannot be known as 
it is disclosed only at the very end. This can be proved using bisimulation-bascd 
techniques for anonymity. Let us consider an implementation of the protocol: 



((No | Po h 0)) cal1 prot (),fc ) (No, k | P , k h 0, -, E, fc) 




!•* (iVi , fc, ao, ai | Po, fc h (s i— >• ao,p i— V ai, x i— ^ 0), 

(□; if (*x == *p) then * s else * p) o (x =□) o (read(D)), (), fc) 
! ->{(Ni, fc, fc', ao, ai | Pi h (s i-> ao, k i-> ai, x i-> 0, fc' n> (t, fc)))) 





ret ao.fe 



»(iV2 | Pi, ai I - (s h-> ao, k M> ai, x n> 0, fc' n> (t, fc)), t, ai, fc) 





>•* (N2 | Pi, ai h (s h-> ao, k i—T- ai, x H> 02, fc' 1 — ^ (i, fc)), — , 01, fc) 

ret ai, ^ jy^ | p 2 a2 ^ ai |- ( s ^ ao , k i-> ai , x i-> a2 , fc' h-> (i, fc)))) 


ret ai,k' 



>(N2 I Pi , a2, ai h (s i->- ao, k 1— > ai, x h-> a2, fc' 1— >• (t, fc)), t, 01, fc) 


i>* (JV2 I Pi , 02, ai h (s 1 — ^ ao , k 1 — y 01, x 1— ^ ai, fc n> (t, fc)), — , ao, fc) 



ret QQ,fc 



^-^{(N2 I P2, 02, ai, ao h (s^ao,ki->ai,xi-> aa, fc' >-» (t, fc)))). 



Above, f = (□; if(*a; == *fe) then * s else * fc) o (x =□), No = Po = {prot, read}, 
Ni = N U {s,k, x}, iV 2 = Ni U {fc, fc',a ,ai,a 2 } and Pi = P U {fc, fc'}. 

Fig. 3. Secret ao leaks. 



export prot ; 
import read; 

decl prot( ) { local s, k, x; 

s = new() ; k = new() ; x = readO ; 
if (*x == *k) then *s else *k } 



Wc have local variables s holding the "secret location" and k holding the "private 
location" . We use the non-local, system-provided, function read to obtain a name 
from the system, which cannot be that stored at s or k. A value is read into x 
using untrusted system call readO . Can the secrecy of s be violated by making 
the name stored into it public? Unlike in the process-calculus model, the answer 
is "yes". 

The initial state is (( prot, read | prot, read h 0)). We denote the body of 
prot by E. The transition corresponding to the secret being leaked is shown in 
Fig. [3j The labelled transitions are the interactions between the program and 
the system and are interpreted as follows: 

1 . system calls prot ( ) giving continuation k 

2. program calls readO giving fresh continuation fc' 

3. system returns (from read) using fc' and producing fresh name ai 

4. program returns (from prot) leaking local name a± stored in k 

5. system uses fc' to fake a second return from read, using the just-learned 
name a\ as a return value 



6. with ai the program now returns the secret ao stored in s to the environment. 
Values of ai are omitted as they do not affect the transitions. 

The critical step is ([5]), where the system is using a continuation in a pre- 
sumably illegal, or at least unexpected, way. This attack could be executed in a 
language with call-cc-likc control features, but these are lacking from our lan- 
guage. We do not even need a richer ambient language to show how a system-level 
attack can be actually implemented. Surprisingly, all we need is an implementa- 
tion of readO which will wait to receive a value from the attacker, and a mainO 
function which calls protO and reports the value. 

We execute the attack by running the (closed) program in a virtual machine 
in the following way: 

1. execute the program normally until the read function is called; 

2. pause the virtual machine, save its state and exit; 

3. duplicate the file storing the state of the virtual machine and re-start one 
instance of the virtual machine; 

4. feed an arbitrary value to readO; 

5. when the program terminates normally remember the final value, which cor- 
responds to oi, stored in k; 

6. re-start the other instance of the virtual machine; 

7. feed a\ to readO; 

8. when this instance of the program terminates normally it leaks the secret ao 
from s. 

Note that the interaction between the attacker and the two instances of the 
program correspond precisely to the labelled actions in the attack. 

What is remarkable about this attack is that both the term and the context 
are written in a simple programming language that cannot implement the attack! 
The attack happens because of a system-level action, the cloning of a virtual 
machine. Also note that this is not a theoretical attack. Our language is a subset 
of C and it can be compiled, with small syntactic adjustments, by conventional 
C compilers and executed on conventional operating systems. Any virtualisation 
platform such as VMWare or VirtualBox can be used to express this attack. 

4.2 Equivalence 

Functional Compositionality gives an internal consistency check for the seman- 
tics. This already shows that our language is "well behaved" from a system-level 
point of view. In this section we want to further emphasise this point. We can 
do that by proving that there are nontrivial equivalences which hold. There are 
many such equivalences we can show, but we will choose a simple but important 
one, because it embodies a principle of locality for state. 

This deceptively simple example was first given in |12) and establishes the 
fact that a local variable cannot be interfered with by a non-local function. This 
was an interesting example because it highlighted a significant shortcoming of 
global state models of imperative programming. Although not pointed out at the 



time, functor-category models of state developed roughly at the same time gave a 
mathematically clean solution for this equivalence, which followed directly from 
the type structure of the programming language |16| . 

For comparing SLS LTSs we can use a simpler notion of bisimulation which 
relates configurations, and modules, that have common public names. 

Definition 3. TZ is a simulation if, whenever (X±,X2) £ TZ, 

— X\ and X2 have the same public names; 

— JTi -+X[ implies (X[,X 2 ) G TZ; 

— X\ —> X[ implies (n ■ X2) —t X' 2 and (X{,Xo) S TZ, for some name permu- 

s s 

tation 7r such that 7r(a) = a for all public names a of Xi and X^. 
TZ is a bisimulation if it and its inverse are simulations. We say that modules 
Mi and Mi are bisimilar if there is a bisimulation TZ such that (S® Ii , S^j ) € TZ. 

Proposition 4. Bisimulation is a congruence for module composition — ■ — . 

The proof uses the reduction of syntactic composition to semantic composition 
then uses Prop. [2] to show that bisimulation is preserved by semantic compo- 
sition with the same module, which is immediate. This is unsurprising, since 
system-level bisimilarity is more fine-grained than contextual equivalence in the 
programming language. 

It is straightforward to check that the following three programs have bisimilar 
SLS transition systems: 

export f; import g; decl f() {local x; g() ; return *x;} 
export f; import g; decl x; decl f() {g() ; return *x;} 
export f; import g; decl f() {g() ; return 0;} 

Intuitively, the reason is that in the first two programs f-local (module-local, 
respectively) variable x is never visible to non-local function g, and will keep its 
initial value, which it 0. The bisimulation relation is straightforward as the three 
LTSs are equal modulo silent transitions and permutation of private names for x. 
Other equivalences, for example in the style of parametricity [13] also hold, with 
simple proofs of equivalence via bisimulation. 

5 Conclusion 

The Dolev-Yao-like characterisation of the Opponent in this semantics suggests 
that this is a model suitable for modelling security properties. The system-level 
semantics presupposes certain strong guarantees of secrecy and integrity for the 
combined execution environment consisting of compiler and operating system: 
certain location names must be kept secret; the Program source code cannot be 
altered; even if the name of a function or continuation is disclosed the names used 
in the function and in the continuation remain secret. All these requirements can 
be gathered under the principle that the System can make no low-level attacks 
against the Program. This is also consistent with the Dolev-Yao principle that 
the attacker can manipulate messages, but without breaking cryptography. 



Compilers such as gcc do not implement a system-level semantics since lo- 
cations are not secret and the code layout is known, allowing low-level attacks. 
Most security violation of C code are through low-level attacks such as buffer 
overflows. However, there are significant research and industrial efforts to pro- 
duce tamper-proof code through techniques such as address layout randomisa- 
tion |7lf 4] , address obfuscation [3] , instruction-set obfuscation [5] or secure pro- 
cessors |T5] • A system-level semantics gives a semantically-directed specification 
for a tamper-proof compiler. System-level semantics also gives a basis for the 
study of security properties of programs compiled with such tamper-proof com- 
pilers, highlighting logical attacks, such as the secrecy violation in Sec. 14. f I The 
system does not guess any of the secrets of the program and it does not tamper 
with its code, but it clones it wholesale then plays the two instances against each 
other, a typical replay attack. Conversely, the equivalences of Sec. 14.21 present 
opportunities for optimisations which hold not only relative to certain compilers, 
but to a more comprehensive concept of execution environment. 
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A Nominal Sets 



It is handy to introduce here some basic notions from the theory of nominal 
sets [1]. We call nominal structure any structure which may contain names, 
i.e. elements of A/", and we denote by Perm the set of finite permutations on AT 
which are sort-preserving (i.e. if a £ Af\ then 7r(a) £ A/a, etc.). For example, 
id = {(a, a) | a £ A/"} £ Perm. For each set A of nominal structures of interest, 
we define a function _ ■ _ : Perm xl->l such that tt ■ (tt' ■ x) — (tt o tt') ■ x and 
id • x = x, for all x £ A and tt, tt' £ Perm. X is called a nominal set if all its 
elements involve finitely many names, that is, for all x £ X there is a finite set 
5* C J\f such that tt ■ x = x whenever Va £ S.ir(a) = a. The minimal such set S 
is called the support of x and denoted by u{x). For example, A/" is a nominal set 
with action tt ■ a — 7r(a), and so is 7 , f n (A/') with action tt ■ S = {^(a) | a £ >?}• 

Also, any set of non-nominal structures is a nominal set with trivial action 
tt ■ x — x. More interestingly, if X, Y are nominal sets then so is X x Y with 
action tt ■ (x, y) = (tt -x,tt -y). This extends to arbitrary products and to strings. 
Also, if A is a nominal set then so is the set Unca/^' ■■■i n ) ~^ X) with action 
tt ■ f = {(i, tt ■ x) | (i, x) £ /}. Finally, if A, Y are nominal sets then so is the set 
X — ^fn Y with action tt ■ f = {(tt ■ x, tt ■ y) \ (x, y) £ /}. 

B Proof of Proposition [2] 

Proof. For 1, let A x = (Aj | Pi h s x ,io/(D), u, fc), Jf 2 = ((A 2 | P 2 r- s 2 )) and the 
r-transition being due to an internal transition with label (s;, call /, u, fc'). Thus, 
^ = ((N{ | P{ h s[)), X' 2 = (A 2 I P' 2 h 4. /(□),«,*'), and so R(X 1 ® s n X 2 ) = 
(A | n b s ,i ,w,fco) and i?(A( ®£ X 2 ) = (Aq | 77 h s' ,^,«,^). Computing 
K,K' as above, we have K' = K U {k'}. Moreover, = Si[fe' n> (t, fc)] and 
s 2 = S U( S2 \P 2 ),so (t' ,k' ) = (s[,s' 2 ) K ,(f(D),k') = (si, s' 2 ) K ,(tof(n),k). Since 
fc' is fresh, (si, s' 2 ) K >(t o /(□), fc) = ( Sl , s 2 )^(t o /(□), fc) = (t ,k ). Moreover, 
A = (JVx U A 2 ) \ K and Aq = (A{ U A 2 ) \ K' = (N l U {fc'} U A 2 U i^(w, s,)) \ K'. 
As Si) C Ni and fc' £ A', we get A = A^. Finally, s = s^.^} \ K and 
s o = s'i[s' 2 ]\K'. Thus, s' = si[s' 2 ]\A = s x [s'U(s 2 \A(P 2 ))]\A. Moreover, s' = s x f 
A(P{) so So = si[s 2 \A(P 2 )]\A. But now note that dom(s 2 \A(P 2 ))ndom(si) = 0: 
by the previous lemma, dom(si) and dom(s 2 ) share no continuation names, and 
if a is a location name in dom(s 2 ) \ P 2 then a £ N%. Thus, so = s' . Similarly if 
the r-transition is due to an internal return. 

Item 2 is straightforward. For 3, the only interesting issue is establishing that 
if Ai (gifj A 2 is in such a form that a T-transition needs to take place then the 
latter is possible. This follows directly from the definition of the transitions and 
the conditions of the previous lemma. In the following cases we consider call 
transitions; cases with return transitions are treated in a similar manner. 

For 4, let X 1 = «JVi | Pi h A 2 = ((N 2 \ P 2 h s 2 )), a = (s', call /, v, k) 
and suppose the transition is due to Ai reducing to X[ = (N[ \ P[ b s' 1; /(□), v, k) 
with label (s-„ call/, v, k). We have 77' = IlUv(v, k, s : \Pr), Pr = (AiUA 2 )\7T, 
s' = Si \ 77' and v(v, s : \ Pr) n Pr = 0. Let P(Ai Ofj A 2 ) = ((A | 77 b s )). As 



k ^ dom(si) and k v(X?) \ lis, by previous lemma we obtain k ^ dom(so), so 
the latter reduces to (Nq \ P h s , /(□),«, k) with transition (s'", call /, v, k), 
for any appropriate s'". In fact, if v(v, s') DNq C II then we can choose s'" = s'. 
Indeed, (v(v, s') n A ) \ 77 C s') n (N \ n) C s') HPr = s, f 
77') n Pr = v(v, s; \ Pr) HPr = 0. Let R(X[ <g>^', A 2 ) = «/Vo | 77' h <)). We can 
see that 7V = Nq. Also, P = 77 U {k} U s') while 77' = 77 U i>(t>, fc, s : \ Pr) = 
77lV(v, k,s'). Moreover, s' Q = s'U(s \A(77)) = s / U((s 1 [s 12 ]Us 2 [si 2 ])\(i<'UA(i7))) 
with s 12 = s \ (P x n P 2 ), and ag = S a [«i] \ K' = s 2 [ Si U (s a \ A(P X ))] \ X'. Note 
that K' = K . Moreover, s' and s' ' agree on the domain of s' and on contin- 
uation names. Also, if location name a G Nq \ Nq then a G v(v,s') and thus 
a G dom(s'). Thus, we need to show that s' , s' ' agree on location names a from 
7V \ 77. If a G iVi \ Pi then s (a) = si(a) = s '(a), and similarly if in 7V 2 \ P 2 
using the fact that (7V 2 \ P 2 ) D TVi = 0. Finally, if a G Pi \ 77 = P 2 \ 77 then 
So (a) = s(a) = Si (a) = s '(a), by restrictions on s,. 

Now let Ai = (Nx | Pi h si, t o /(□),«,*:}, A 2 = «A 2 | P 2 h s 2 )), a = 
call /, u, k' and suppose the transition is due to Ai reducing to A{ = ((N[ \ P[ h 
s[)) with label (s u call /, u, &'). We have (77', s") = (77, s)[v, s-,} and s' = s" f 77'. 
We can assume, by definition, that (si, s 2 )_R-(i o /(□),&) = (to o f(D),k ), so 
R(Xi ® s n A 2 ) = (No | 77 h s , to /(□),«, fco). As / is not defined in either of 
the modules and k' is completely fresh, the latter reduces to ((Nq | P h s )) with 
transition (s'", call/, v, k'). Let R(X[ A 2 ) = ((Nq | 77' h s ')). It is easy to 
see that Nq = Nq. Moreover, s' = s [fc' i-> (i ,&o)] and s ' = (s' 1 [s' 1 ' 2 ]Us 2 [si' 2 ])\A 
where s'/ 2 = s" f (P x nP 2 ). Note that K' = n(P[C\P 2 ) = K and s '(V) = si(fc') = 
(s'i, s 2 )k'(^' = (*0) &())• Also, s' and s ' agree on all other continuation names. 
Thus, in order to establish that s' = s' \ it suffices to show that s 2 [si] and 
si[s" 2 ] U s 2 [si' 2 ] agree on locations. From the previous lemma, s" agrees with s\ 
on locations in P{ and with s 2 on locations in P 2 \ P[, and so s" C s 2 [si]. Thus, 
A(si [s'/ 2 ] U s 2 [s'/ 2 ]) = A(si U (s 2 \P{)) = X(s 2 [sx}). 

For public names, we have P = Cl(s , 77 U v(v)) U {k'} = CI (s'q, II\Jv(v, fc')) 
while 77' = C7(s", 77 U u(v, k')). As k(P) = rc(77) U {fc'} = k(77'), we can focus 
on location names. We have s" C s and, moreover, dom(s") = A(P[ U P 2 ) 3 
A(77 U v(v, k')), thus P = 77'. Finally, s' = s'" follows from the fact that these 
are restrictions of the final stores to the final sets of public location names. 

For 5, let X 1 = ((Nx \ Px h Sl », A 2 = {(7V 2 | P 2 h s 2 )), R(X X ® s n A 2 ) = 
((N | 77 h s )) and a = (s', call /, v, k). We have that / is defined in M ■ M' so 
WLOG assume that it is defined in M. Then, A x reduces to X[ = (N[ \ P{ h 
s'i, /(□), v, k) with (si, call /, v, k), s\ = s' U (s \ II), if the relevant conditions 
for S-P calls are satisfied. 

If k G dom(si) then, by lemma, k £ Pis- By assumption, k G 77 so k £ 
k(Px UP 2 ) \77 and thus, by lemma, k k(Px HP 2 ) \77 s so k g P 2 . But the latter 
would imply k G dom(so), which is disallowed by definition. Thus, k £ dom(si). 

Moreover, if a G v(v, s : ) n (Nx \ Pi) = ^(u, s') n (A x \ Pi) then a G s') n 
(7V \ Pi) and a £ P 2 , so a G i/(t>, a') D (A \ (Pj U P 2 )) C s') n (A \ 77), 
thus contradicting the conditions for the transition a. We still need to check 
that sx \ A(Pi) C si = s' U (s \ 77). Given that s f A(77) = (si[s i2 ] U s 2 [s i2 ]) f 



A (77) C s', the condition follows from the previous lemma. We therefore obtain 
a transition from X\ ® s n X 2 to X[ ® s n , X 2 ; the relevant side-conditions are 
shown to be satisfied similarly as above. Finally, working as in 4, we obtain 
R{X[ ®£> X 2 ) = Y and s' = s'". 

Now let Xx = (Ni | Fx h s u t o /(□),«, k), X 2 = ((N 2 \ P 2 h s 2 )), R(Xx ® s „ 
X 2 ) = (No | 77 h so,io ° /(n), w 7fco) an d a = call/, By hypothesis, fc' is 
fresh and therefore X\ reduces to X[ = ((7V{ | h s^)) with (sj, call /, v, fc'), 
and thus Xi (gijj X 2 reduces to X[ ® s n , X 2 with (s'", call /, u, fc'). Working as 
in 4, J?(X{ Jf 2 ) = y and s' = s'". 



